Large Internet content provider leverages Covestic's expertise to achieve SOX regulatory compliance

BUSINESS CHALLENGE
The federal government had passed major legislation that required a very high degree of accountability and accuracy for financial reporting for publicly traded companies. As a result of rapid growth and the need for constant innovation, this Internet content company had less formal structure around its business operations. They had millions of subscribers in 25 countries, multiple packaged services and new promotional offers occurring on a regular basis, and more than 9,000 employees throughout the world, but the company had never undergone a stringent, external audit. Adding to the complexity was the fact that they had developed a large portion of their own systems.

The company had less than one year to prepare itself for Sarbanes-Oxley (SOX) compliance, and almost every business group had one or more SOX-affected systems. Many of the employees responsible for these systems were not familiar with the strict controls and the extensive documentation requirements dictated by SOX. In addition, the different business groups were not using the same procedures for the same processes.

Since SOX controls spanned across financial processes, business operations, and IT infrastructure, the company understood that this compliance effort was massive in terms of project management, gap remediation, process documentation, control validation, evidence gathering, and then going through the final audit process. They needed a partner with IT and security audit expertise, along with strong project management skills, to meet all the required deadlines.

COVESTIC'S SOLUTION
The company selected Covestic as their SOX compliance partner based on our extensive experience in their industry and proven track record of SOX remediation successes. Covestic knew that this was going to be a difficult project that required a combination of key subject matter experts and program managers to deliver on-time compliance.

Covestic reviewed the control gap reports from the customer's audit team and collaborated with the company's senior leadership team to design a control gap remediation plan, and through that, define roles and responsibilities, resource requirements, and schedule. The phased approach began with reviewing current policies and procedures along with the business process documentation. Covestic analyzed that information and used it to define and present a roadmap for gap remediation, testing, and staff preparation for the audit. Gap remediation tasks were organized into consumable chunks that can be absorbed by the staff as they continued to tackle their existing workloads.

We then used our IT and security subject matter experts to create a process that enabled business groups to assess themselves against the designated controls in order to meet the SOX self-assessment requirement. This step helps to identify controls that aren't working effectively and address them before the external auditors arrive.

Covestic used specific IT and security audit expertise combined with a centralized project management structure to coordinate the multiple projects across the company. This structure served as a liaison between the project teams and the executive sponsor. A number of efficiencies identified by Covestic were able to be leveraged among the business groups to help minimize compliance costs.

PROJECT RESULTS
Based on the work that Covestic did throughout the year prior to their audit, the company achieved SOX compliance with no material disclosures. The company has succeeded in reassuring both shareholders and customers that its financial figures are complete and accurate. They also increased their efficiencies in several areas by implementing standardized and streamlined processes.